From e310478e6dd532d2d729629dadb80a08f14b9094 Mon Sep 17 00:00:00 2001 From: Clement Michaud Date: Sat, 25 Mar 2017 15:28:57 +0100 Subject: [PATCH] Allow per user access control rules --- config.template.yml | 3 ++ src/lib/routes/first_factor.js | 13 ++++-- test/unitary/routes/test_first_factor.js | 54 +++++++++++++++++------- 3 files changed, 50 insertions(+), 20 deletions(-) diff --git a/config.template.yml b/config.template.yml index b84fb053..d05e0de6 100644 --- a/config.template.yml +++ b/config.template.yml @@ -50,6 +50,9 @@ access_control: - group: dev allowed_domains: - secret2.test.local + - user: harry + allowed_domains: + - secret1.test.local # Configuration of session cookies diff --git a/src/lib/routes/first_factor.js b/src/lib/routes/first_factor.js index 4ba9a97c..59464e6e 100644 --- a/src/lib/routes/first_factor.js +++ b/src/lib/routes/first_factor.js @@ -5,13 +5,17 @@ var exceptions = require('../exceptions'); var objectPath = require('object-path'); var Promise = require('bluebird'); -function get_allowed_domains(access_control, groups) { +function get_allowed_domains(access_control, username, groups) { var allowed_domains = []; for(var i = 0; i= 0) { + if('allowed_domains' in rule) { + if('group' in rule && groups.indexOf(rule['group']) >= 0) { + var domains = rule.allowed_domains; + allowed_domains = allowed_domains.concat(domains); + } + else if('user' in rule && username == rule['user']) { var domains = rule.allowed_domains; allowed_domains = allowed_domains.concat(domains); } @@ -58,7 +62,8 @@ function first_factor(req, res) { objectPath.set(req, 'session.auth_session.email', emails[0]); if(config.access_control) { - var allowed_domains = get_allowed_domains(config.access_control, groups); + var allowed_domains = get_allowed_domains(config.access_control, + username, groups); logger.debug('1st factor: allowed domains are %s', allowed_domains); objectPath.set(req, 'session.auth_session.allowed_domains', allowed_domains); diff --git a/test/unitary/routes/test_first_factor.js b/test/unitary/routes/test_first_factor.js index 4798f982..9f52bc92 100644 --- a/test/unitary/routes/test_first_factor.js +++ b/test/unitary/routes/test_first_factor.js @@ -74,23 +74,45 @@ describe('test the first factor validation route', function() { }); }); - it('should store the allowed domains in the auth session', function() { - config.access_control = []; - config.access_control.push({ - group: 'group1', - allowed_domains: ['domain1.example.com', 'domain2.example.com'] - }); - return new Promise(function(resolve, reject) { - res.send = sinon.spy(function(data) { - assert.deepEqual(['domain1.example.com', 'domain2.example.com'], - req.session.auth_session.allowed_domains); - assert.equal(204, res.status.getCall(0).args[0]); - resolve(); + describe('store the allowed domains in the auth session', function() { + it('should store the per group allowed domains', function() { + config.access_control = []; + config.access_control.push({ + group: 'group1', + allowed_domains: ['domain1.example.com', 'domain2.example.com'] + }); + return new Promise(function(resolve, reject) { + res.send = sinon.spy(function(data) { + assert.deepEqual(['domain1.example.com', 'domain2.example.com'], + req.session.auth_session.allowed_domains); + assert.equal(204, res.status.getCall(0).args[0]); + resolve(); + }); + ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve()); + ldap_interface_mock.get_emails.returns(Promise.resolve(emails)); + ldap_interface_mock.get_groups.returns(Promise.resolve(groups)); + first_factor(req, res); + }); + }); + + it('should store the per group allowed domains', function() { + config.access_control = []; + config.access_control.push({ + user: 'username', + allowed_domains: ['domain1.example.com', 'domain2.example.com'] + }); + return new Promise(function(resolve, reject) { + res.send = sinon.spy(function(data) { + assert.deepEqual(['domain1.example.com', 'domain2.example.com'], + req.session.auth_session.allowed_domains); + assert.equal(204, res.status.getCall(0).args[0]); + resolve(); + }); + ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve()); + ldap_interface_mock.get_emails.returns(Promise.resolve(emails)); + ldap_interface_mock.get_groups.returns(Promise.resolve(groups)); + first_factor(req, res); }); - ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve()); - ldap_interface_mock.get_emails.returns(Promise.resolve(emails)); - ldap_interface_mock.get_groups.returns(Promise.resolve(groups)); - first_factor(req, res); }); });